The CSRF token is generated on the server-side when a user session is initiated. This token is unique to the session and is not directly exposed to the client.

The generated CSRF token is embedded into the HTML form as a hidden input field. This hidden field is not visible to the user but is included in the form submission.

When a user submits the form, the browser automatically includes the session cookie in the request. However, the CSRF token is not automatically included by the browser. It must be explicitly extracted from the hidden field and included in the request.

Even if an attacker manages to trick a user into clicking a malicious link, they cannot directly access the CSRF token from the client-side so he/she wont get the token to perform malicious action